I set up 1password scim bridge to integrating okta. Scim bridge working properly only when I publicly 443 ports everywhere on our firewall rules. When I get port 443 to VPN(behind NAT ips). I see connected properly from our scim domain. But 1password monitoring shows an error. I see only this error on the scim bridge logs 7:27AM INF failed to verify session error="failed to touch session: failed to DoEncrypted: Authorization: (401) (Unauthorized), You aren't authorized to perform this action." application=op-scim component=SCIMServer 1Password Version: Not Provided Extension Version: Not Provided OS Version: Ubuntu 20.04 Sync Type: on cloud

Hi @halilbozan You may need to make the health monitoring service available to your SCIM bridge instance. You can check out the documentation https://support.1password.com/scim-troubleshooting/#if-the-health-monitoring-service-cant-contact-the-scim-bridge. Let us know if this helps.

I set up with docker and I look docker logs at the instance, I can't see anything. Is there any restriction with okta between 1password? I see the same error above when I access your link. I would like to open only our private network in our security group.

Hi @halilbozan, Thank you for your response! We use Checkly as a third party service for our health monitoring feature, so in order for it to work properly you would need to allow Checkly traffic to the SCIM bridge, which may include making a whitelist for their IP ranges, as you can read about https://www.checklyhq.com/docs/monitoring/whitelisting/. This perhaps could be the issue you're experiencing with the health monitoring error, as it seems like your SCIM bridge is working and authenticating correctly. Can you explain a little more what you are trying to accomplish with your security groups that you mentioned? Are you using AWS as your cloud provider? Are you using LetsEncrypt, or perhaps terminating TLS at a load balancer? Are you only locking down ports or IP ranges too? Looking forward to assisting you further! Chas

Hi, - I am using AWS - I am using LetsEncrypt You can see above everything looks right, but there is an error on the 1password integrations page. My security group opened everywhere for now. Otherwise, I have the error above(if only accessible from my private VPC - Natgateways IPs). But, I am wanna open only my AWS client VPC - Natgateway IPs.

Hello @halilbozan! The status page you're seeing shows that the SCIM bridge is healthy, which is good! I would first like to mention that enabling health monitoring is completely optional - if you don't want to open up to allow Checkly access to your SCIM bridge, you don't have to. Going to that status page tells you the same information, you just need to seek it out as opposed to getting an email if it goes down for some reason. Your IdP needs access to your SCIM bridge in order to send requests to it, and the SCIM bridge needs to be able to send the requests through to 1Password. If you want monitoring on your account, Checkly also needs to be able to access your SCIM bridge. Those are the only access requirements, so if you allow outbound traffic and whitelist Okta and Checkly IP addresses, you should be able to restrict any other access. That being said, the bearer token is required in order to do anything with the SCIM bridge, so even if you leave some ports open to the internet it is still secured by TLS and the bearer token. Please let me know if you have any further questions! Amanda

I have an issue for integration of 1password between okta

13 Replies

Former Member
5 years ago
Hi @halilbozan,

Thank you for your response!

We use Checkly as a third party service for our health monitoring feature, so in order for it to work properly you would need to allow Checkly traffic to the SCIM bridge, which may include making a whitelist for their IP ranges, as you can read about https://www.checklyhq.com/docs/monitoring/whitelisting/. This perhaps could be the issue you're experiencing with the health monitoring error, as it seems like your SCIM bridge is working and authenticating correctly.

Can you explain a little more what you are trying to accomplish with your security groups that you mentioned? Are you using AWS as your cloud provider? Are you using LetsEncrypt, or perhaps terminating TLS at a load balancer? Are you only locking down ports or IP ranges too?

Looking forward to assisting you further!

Chas
Former Member
5 years ago
I set up with docker and I look docker logs at the instance, I can't see anything. Is there any restriction with okta between 1password? I see the same error above when I access your link. I would like to open only our private network in our security group.
Former Member
5 years ago
Hi @halilbozan

You may need to make the health monitoring service available to your SCIM bridge instance. You can check out the documentation https://support.1password.com/scim-troubleshooting/#if-the-health-monitoring-service-cant-contact-the-scim-bridge.

Let us know if this helps.

Forum Discussion

I have an issue for integration of 1password between okta

13 Replies

Featured discussions

September at 1Password: Browser versions, enhanced security, and new integrations

Recent discussions

Desktop Integration Cannot Find App

Env var loading and validation for 1Password (open source!)

AWS Shell plugin is not providing session token

Password generator when exporting ssh keys

[Linux] Use $XDG_RUNTIME_DIR instead of $HOME/.1password?